- Cliff Krahenbill aka Prof. K
How I recovered from a ransomware attack
Got hit with the .Doc File Virus so I thought I would share with you how I was able to recover from the attack. Unfortunately for me, this was a new version of the decrypter ransomware virus and nothing I tried could detect or remove it, to new.
When this happens you have one of three choices:
Wait for the new variant to be analyzed and the fix posted on the Internet.
Pay the $1000.00 to get your files back.
Loose everything and start over.
Ransomware is a huge money maker for cyber criminals and with the onset of cyber currency, it has really taken off. The price to decrypt your files? 1/4 of a bit coin or roughly $1000.00 US. Bit coins are impossible to trace and for the time being, unregulated
The ransomware comes via a .vbs script which is how I got it. I downloaded a paper from a student from one of the online universities I teach for. I thought it was strange because the assignment should have been copied and pasted into the text editor used to post the assignment, but it does happen.
As soon as I opened the downloaded Word document my machine went into overdrive and I noticed every shortcut now appeared as Microsoft Word icon. Just as suddenly, all my files began to sync with my online storage. I quickly logged off of my Google drive and my Dropbox and there on my desktop appeared a text file entitled, "You files here.txt" and that is how it was labeled.
Here are the contents of the file:
This file could be found in every folder the ransomware hit. I'm still finding it.
How I fixed the problem
Avast! was useless in detecting the ransomware nor could it find and remove it. I downloaded Malwarebytes which was able to find it but by now the damage was done. I searched high and low for a fix of this variant but to no avail.
Guideline of life:
If it's important to you, back it up off of your machine and create at least two remote backups and keep one offline.
I deleted my infected install and did a full format. When I finished the reinstall, I reconnected to my Google Drive and Dropbox. Both have backups of original versions of the file so even if the original does get encrypted with ransomware, the original is saved as the previous version.
I don't have a lot of data on Google, so I was able to spend a couple of hours rolling back files to a previous version and that fixed that. The other issue is ever file gets a new .doc file extension added on to it. An example would be. myfile.txt.doc so even though I restored the file, I still had to go in and remove the additional .doc extension for each restored file.
I have a paid account on Dropbox, so I called their tech support and had them roll my files back to a specific day and time. That worked but I still had to go through all my Dropbox files and remove that annoying .doc extension.
The ransomware turned out to be more of an inconvenience than anything else. It took a few hours of my time to restore my OS and files but having everything backed up in the cloud is what saved me this time.
That was my first encounter with ransomware and I take plenty of precautions. This is just an indicator of how sophisticated cyber criminals are becoming at deploying these types of malware attacks.
It's getting to the point where we need to consider using a virtual machine or at least use a sandbox when launching a browser to use the Internet or check your email. The same can be said for downloading and opening attachments from the Internet.
Using a Virtual Sandbox
I've tried two different sandbox programs, Sandboxie and Shade. Sandboxie could not install it's driver or start it's service. Told me I needed to get a hotfix from Microsoft but that hotfix is no longer available for download.
Shade installed just fine but once I added Word to it's console, it blue screened my machine.I removed Word from the program and launched one of the three browsers Shade took control of. The browser just gave me a white window with all extensions and add-ons disabled.
I have installed a free IDS/IPS called GesWALL. GesWall blocks any unauthorized access to the system files and isolates your trusted application. Very simple, nothing to configure.
Microsoft finally released SP1 for Windows 7 and the all current updates as a roll up, so I have downloaded both and installed.
Something new I have added to the mix. Once the reinstall of the OS is done and I have all my apps installed and the machine is where it needs to be, I perform a full Windows Backup and store that image on an external drive which I then power off until the next full backup.
I'm still using Avast! but I found the free version works must better than the paid version.
I stopped using a VPN a while back, but I am seriously considering the need. I stopped using Cyberghost because every time they updated their desktop app, it broke my VPN capability and I finally had enough with it.
I also have backups of my most critical data to a thump drive which gets put away in my desk until I need it.
I wanted to share my proof of concept with everyone and let you know you can recover from a ransomware attack if you prepare for one. This is the first time I have been infected in years, I can't remember the last time I had a run in with any malware.